Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

Possibly a biased source, but not exactly a shocking conclusion. The OS X kernel is a massive amount of C and embedded C++ code. On top of that is a huge pile more code. It's not going to be bug free, and at least some of those bugs will be exploitable. It does about the same set of things as other modern operating systems to reduce the damage that a compromised application can do (e.g. making it easy to run apps in sandboxes), but any network-exposed system running arbitrary code is vulnerable, the only question is whether the effort involved in finding and exploiting a vulnerability is greater than the reward.

That's the problem. While the conclusion is hardly surprising, and is in fact what many people have been predicting for years, a lot of people are going to say "oh, it's Microsoft, FUD!" and ignore it. Interestingly, using many of the same vectors a virus for Linux is equally possible, it's just that most virus writing these days is done for profit, and it's not a big enough target to make it worth their time.

Virus ? Seriously you can craft some damned document in postscript that can thrash any system that has the ps interpreter.PS is a turing complete language. You can pull some crazy stuff with this shit.

Will it actually thrash it so that it requires a reboot, or just soak up all the CPU cycles on one core until the user gets around to running top and killall -9? (I guess this basically boils down to: does postscript have a fork call?)

It's true that *abstractly*, any computer system has bugs and
vulnerabilities, and if you attach it to an untrusted network and if
this network has a lot of malware that targets the system then
compromises will happen, in direct proportion to the quantity of
malware in circulation and the number of bugs and vulnerabilities in
said system, which itself is proportional to the amount of code etc.

But having said that, malware is not very smart or adaptable and this has nothing to do with the profit motive: every
tiny change in a target system requires a rewrite or an addition to
the malware code, and the more additions there are the bigger and
more conspicuous the malware becomes, which makes it easier to recognize.

That's why patching systems is effective, the malware is too dumb to smoothly react to the unexpected. It's also why predominantly Microsoft and to some extent Apple systems are more vulnerable than Linux systems. Microsoft OSes are hyper identical (available APIs, installed software, etc), so malware can be quite dumb and still be successful. Apple systems are a monoculture too. But OSes that come in kits and have lots of alternative subsystems that must be configured by users/owners, like Linux, are inherently safer. The malware just has too many variations to consider when it tries to invade. Note that systems like Android are also more vulnerable, like Apple systems, because the needs of user friendliness and unified user experience result in monoculture again.

And thats where the commercial/consumer world is shooting itself in the foot.
As the installed base grows, the cluster of identical machines grows at the same rate. Whereas in the more chaotic world of Linux/*BSD, the total installed base can grow but it's ok to fracture into alternative distros and flavours, and it suffices for the number of incompatible alternative clusters to grow at the same rate as the total installed OS base, so you can have more and more clusters which are all of a limited size and any malware can only affect one or two clusters at a time.

But the monoculture of Apple and to a lesser extent Windows is also what makes those systems so useful to so many people. You don't have to understand every intricacy of software systems that branch like a wild vine to get something done on a stock Windows or Apple system.

The same thing that makes the Apple and Windows system so vulnerable to malwares is what make it so easy for a user or an administrator to comprehend how to use and configure it. And this is for the same reason. It's inefficient for h

That's because by the time they had a fully functional system, there were so many obscure configurations, custom scripts, and dirty hacks required that they are the only one who knows how to administer it.

It's not widely used because it's secure. It's widely used because it's cheap, and it's easily capable of doing the job in back-end environments where it can be locked down and prevented from running arbitrary code at the user's whim.

Except the kernel isn't the problem. I haven't heard a single word about this recent malware crap that indicates it exploits the kernel or somehow achieves supervisor mode. Nor have I heard a single word about user-less exploits, as opposed to how you could simply install Windows, connect to the network, and have it owned within an hour, if not minutes.

All this has been user land exploits, which require a user to do something. Some of them haven't even required the user to do something stupid, other than t

Does someone know what's the case with Windows 7? Let's say I install the original gold master of Win7 and apply no patches, leave it with a public IP address but don't otherwise do anything. Is the box vulnerable?

Does someone know what's the case with Windows 7? Let's say I install the original gold master of Win7 and apply no patches, leave it with a public IP address but don't otherwise do anything. Is the box vulnerable?

The Microsoft Exec that claimed early in Windows 7 lifecycle backtracked from those comments. Combined with the security patches released since it's release the answer is Yes.

It was also found that the Titanic was not unsinkable... Shock Horror !!!

I do not think that any intelligent person thought that Macs are unsinkable/invulnerable, just that they are much harder to attack than a Windows box. Same with Linux, of it can be, it is just much more safe than Windows.

Leo Laporte on the "This WEEK in Tech" and "MacBreak Weekly" podcasts have said several times over the last 5-6 years that the reason why Macs running OS X haven't been hit with malware was that until very recently, there wasn't enough Macs out there to justify the effort to write malware that can infect these machines.

But now, with the terrifying success of the "Flashback" malware, it's now open season on Mac users. As such, Apple may have to develop a true Internet security suite with automatic virus/malw

Interesting that the GP said "easy to use" and you changed that to "easy to install". Which of corse isn't the same thing at all. For sure, Linux is not easy to use. But lets quantify that - it's less easy to use than the other 2 mainstream desktop OSs.

yes, until mom needs word processor (cloud services like google doc don't count), and the ability to watch movies their kids email her of a newborn. The point is, while you could help your mom install linux or whatever other app she needs initially, she can't go out and download or buy additional software on her own, and then install it on her own.

I enjoy linux as any other, but I don't think it passes the grandma test yet.

It's hard to say if grandma is really in a worse position here with Linux. As we know, usually you have all the programs (browser, word processor, movie player...) already installed, while in Windows you have to install all kinds of stuff separately.

That being said, Linux is indeed having bad problems supporting third party stuff. There is currently no easy and unified ways of installing apps or drivers if they come outside of the distribution.:(

Unfortunately there's lots of brokenness like that in Linux distros. Things work generally nicely, but when you even slightly fall off the beaten path, there is not enough robustness to handle the condition. You might get some completely wrong error message and somewhere deep is just a script failing with an obscure "Invalid argument".

There should be more attention for things like this than the hipster desktop environment of the month...

Accepting the fact your OS has flaw's is first stepping to make a secure OS, Apple for years claimed their OS didn't have any. Know all mac fan boys are finding out the hard way and its only gonna get worse.

Accepting the fact your OS has flaw's is first stepping to make a secure OS, Apple for years claimed their OS didn't have any.

Uh, no. They didn't. The fact that they've regularly and consistently provided security updates shows that they recognize that they have flaws in their OS that need patching. What they have claimed is that they don't have a lot of viruses, which is absolutely true. Due to Macs not being worth targeting because of a smaller user base, malicious attacks against Macs were very rare compared to PCs (which is always the benchmark they compared themselves to). So their claim was true.

Well, there is a mechanism available to notify users of these updates, but I'm guessing MS is not that interested in handing over 30% of their price. I think Apple's exclusion of 3rd party repositories from their marketplace is pure greed. The Linux model they borrowed from should have been more blatantly copied. I think Windows should do the same, but I think they're following the iOS approach for Metro that locks users to a single market.

Oracle had closed that "gaping hole" several months earlier, it's just that Apple are really slow at releasing security fixes for serious vulnerabilities in third-party software they bundle with their OSes.

Microsoft has included AutoUpdate in Office for years. Every few months when they put out an update it pops up and downloads it for me. You can get to it by going to the Help menu and choosing Check for Updates in any Office Application if for some reason you want to run it manually.
Maybe they could do a better job, but I think your statement that there is no easy way to notify users is fundamentally false.

Mac fanboys aren't finding out much of anything the hard way. Most of them have spent years in a relatively virus and spyware free world without having to worry too much. Not perfect but rather good, while Windows users live in a constant state of war.

And it may or may not get worse. Apple has a lot of potential security in place that can be implemented almost instantly if security becomes a top priority; Microsoft was introducing new security features as the virus and spyware wars started. Apple's othe

While I will agree with lack of surprise from/.ers, most of my colleagues that enjoy their Macs like to tout "invulnerability" to malware. Mac-pride makes them brave/foolish to the point they will not bother with anti-virus. I think they are more the norm than exception for Mac users. Once the Mac OS reaches a high enough number of users, there will be a significant surprise for most users.

It's about marketshare. IT has only ever been worthwhile for virus writers to target a platform that is popular enough to warrant a return on investment, whether that be fame or clandestine botnet software.

People always used to use half baked arguments trying to claim that OS X was mroe secure because it was "unix" or some crap, despite OS X being very insecure [osnews.com] for most of it's run.

Aside from being common sense this is supported with some pretty solid mathematics, not least an article in an IEEE journal sho

Hmm, since Linux has by far the largest market share, then by your logic, it must have the most viruses.
Yes, Windows probably has the largest market share on desktop machines (a dying breed), but Linux leads on computers overall, by a wide margin. Samsung alone sells hundreds of millions of Linux machines each quarter. So where are the Linux viruses?
The difference is in the design, which is not dependent on market share.

I was not aware that there was a docking station that provided peripheral (including USB, printing, and mass storage) support, an extended displa, and a full hardware keyboard and trackpad (or mouse/trackball.whatever via USB) for an existing iDevice. In fact, I'm still not aware that there is, even after reading your link.

My Motorola Atrix 4G has this and I am typing this reply from it right now. I think spire3661 might be banking on WebTop, an Android extenstion (by Motorola Mobility, now owned by Google,

I believe the term "takes one to know one" has never been more fitting.

But it's true, Macs are now plentiful enough to attract the attention of malware purveyors, and the fact that the target market is so unsuspecting must be making them salivate. It's certainly in M$'s best interests to make this known, and they're doing the Mac fanboi's a favor by putting them on alert.

And before someone sharp-shoots me on the apostrophe, it's acceptable to use one when otherwise the plural forms a misleading word. "Fan

Not only was it opportunistic but the vulnerability comes from A MICROSOFT PRODUCT(It was an office for mac issue)!

If I were apple and feeling particulary snarky I would send out an email to my users warning about microsoft software including the microsoftpost and recommend that they not use Office for Mac and switch over to Libreoffice for a more secure computing experience.

Not that "OMG Apple is evil," but that "Mac users need to wake the fuck up and think about security."

I've met more than a few Mac users who really believe that "Macs can't get viruses," and such things. They don't patch their shit, have weak passwords, etc, etc. They think the magic Apple fairy will protect them from all harm.

I argued they were like someone living in a rich gated community that left their door open all the time. Nobody had broken in because nobody had really tried, but they weren't really s

We'll see if it is over now. Sorry if I'm not too concerned. I've been hearing how the virus apocalypse would happen any day now for a dozen years. Meanwhile Apple has been slowly turning up the security and laying the ground work for a rapid shift if they ever need to.

"It's been more than twenty years since I read Thompson's marvelous paper, but I believe I correctly recall his fundamental point: UNIX, and every system like it, can NEVER be "secure". It doesn't matter how many layers of anti-virus software, "internet worm protection", "firewall" or any other buzzword -- systems like UNIX (including all versions of Linux, Macintosh OSX, and all versions of WinXP) will NEVER be secure. Thompson published his paper and revealed his hack in order to demonstrate this point. "

Closed sourced, open source, free, paid, whatever it is it will never be fully secure and people are foolish to believe anything to the contrary.

First of all, it must be said that the word "mac fan boy"
is one of the most ingenious PR actions against apple.
The statement of Microsoft that "macs are not safe" is a
too obvious PR spin along the same lines.
Any operating system is vulnerable as long as users can modify operating
systems. This is not for discussion. What matters is how fast these
vulnerabilities are handled and communicated and corrected.
Apple as well as Linux distributions have handled vulnerabilities
in the past pretty well and I f

When Microsoft puts out updates, they just put out the updates.... most of the time in single-fixes which are individually selectable and uninstallable. (Doesn't always work but they try) They do it like this because business depends on compatibility and continued operations of their apps. So if a particular update or patch breaks an important app, it can be rolled removed or at least identified and skipped.

Apple doesn't care about that. Apple will push updates and bundle them with anything they like including feature removal and things users don't want.

So what I foresee happening is that Apple will bundle a critical security fix with something else which the users don't want and they will refuse to update their machines.

Some people here are "fans" of a particular brand or whatever. I'm none of those. I just call them as I see them. But if someone must insist I'm a hater of this or a shill for that, I run Fedora Linux on most of my stuff but I hate Gnome3 so I'm going to CentOS until the people out there get their heads on straight and listen to the users.

I'm a fan of Apple, but I have no problem criticizing their OS, apps, or philosophy. I want Apple to improve, and grumble when they drag their feet, or, start to follow trends in app/gui design (e.g., i've noticed the menubars of their apps aren't consistent, or that some apps are just fucking retarded: preview and iphoto... wtf?).

Zealots see their choice as infallible. Period.

We both have brand loyalty, but I think the former is more reasoned in their

Microsoft claims that malware infections will rise on OSX in the future, and as evidence they dissect an exploit that only works on an obsolete version because it is fixed in the lastest version. Your signature is oddly appropriate.

I suppose there could be some people stupid enough to say that, but I haven't seen much of it (unless you count obvious troll posts). In fact, a misconfigured linux system is one of the easiest to hack -- but we're discussing malware, not hacking. Since most linux distros are using repositories for all the third-party software (vs non-tech users zooming around the web downloading "10,000 similies!") malware for linux is pretty darned rare -- much more so than windows or os x. Unless, of course, one counts all the android trojans -- I don't because to me android is a completely unique OS that happens to use some linux code.

Since most linux distros are using repositories for all the third-party software (vs non-tech users zooming around the web downloading "10,000 similies!") malware for linux is pretty darned rare -- much more so than windows or os x.

Of course most OSX third party software is coming from the Mac App Store these days, so the same applies.

The reason why you don't see Linux desktops getting targeted is for multiple reasons, 1.-interoperability is shit, the lack of a unified platform that keeps third parties from touching Linux with a 50 foot pole also keeps away malware writers because the best they could score is say...40% of UBUNTU users, but that same attack probably wouldn't work on RHEL without serious tweaking, or on PCLOS, or on Mepis, you get the picture, 2.- Malware writers want powerful machines because the more powerful the machine the more they can remain hidden while cranking out the spam or spreading the bug. Not to slam Linux users but you DO have a shitload of "How to save that PC from the dump" articles which would give an outsider the impression they are more likely to find a P4 than an i7, and 3.-Malware writers are criminals and criminals are notorious for being lazy. they don't want to have to constantly rewrite their bug because something got fiddled with between Ubuntu maniac monkey and nutty narwhal and their shit got broke. With both Windows and Apple having quite clearly labeled life cycles this makes it easy to know how long a bug could be good for.

If you want to see how badly Linux would get pwned if it was on the radar simply look at android. it has tons of ordinary users, is using the Linux kernel, and has been royally assraped by the malware guys. in the end you simply cannot defeat reality which is thus: ALL Operating Systems are EXTREMELY complex, with literally millions of lines of code all having to interact perfectly and this isn't even counting the third party stuff. hell I doubt even Linus can tell you with 100% certainty when you launch say network manager every single call it will make and what every interaction is, its simply too complex. More than 90% of the planet are NOT geeks, hell they don't even come up to the level of a power user of any system, they know just enough to get it to function and that is it, and finally the malware guys figured out long ago its the USER that is the juiciest target, after all it is they that have the keys to the kingdom so by using social engineering they have become quite adept at getting past the defenses by having their "man/woman on the inside" aka the user, help them achieve their goals.

So it doesn't matter what OS you use, you practice safe computing you'll be fine, practice stupid computing you'll be pwned. For those that think the repos are safe might want to look at how long the repos were handing out an infected Quake 3, try a year and a half. If a malware writer truly wants to target Linux there are ways, target some of the software that isn't as heavily monitored or like I said simply target the users [geekzone.co.nz] and you're in like flynn.

Now you watch as I get modded down for pointing out reality, to be followed by those that treat Linux as a religion (Some call them Freetards, I call them FOSSies because they remind me of Moonies) scream that it just isn't possible, that linux's magical goodness could never be tainted by malware crap...hmmm...where did I hear that before? Oh yeah those that bowed at the altar of Jobs, aka "The Cult of Mac". Wouldn't it be smarter to simply use the best tool for the job and be on your guard? But those that treat tech like ballclubs won't quit rooting for the home team, even when they strike out.

I'm sorry friend but you are mistaken, unless you call sliding a single slider in UAC as some complex action. Win 7 can autosandbox the browser (your choice of IE or any Chromium based) and run it in low rights mode which is actually SAFER than surfing in Linux where running a single program in a much lower set of permissions is far from simple, and then simply add one of several free AVs that also sandbox (My two favorites are Avast and Comodo Internet Security, both work well) and frankly the user need not know anything. The OS will autoupdate, autosandbox, scan ALL pages before load, hell my 71 year old dad is as clueless about tech as they come and his PC has been on the net 24/7/365 running Win 7 since Oct 09 and hasn't has a single problem or bug, the worst problem he has had is he didn't know how to update his browser (it kept telling him there was an update but he kept pushing the X instead of the update button) and that was it.

If you want to know the REAL reason why you see much more infected Windows? let me tell you a true story about the only person i ever threw out of my shop. He comes in, buys a PC from me, and wants me to install limewire. I tell him "I'm sorry but Limewire doesn't exist anymore, they got shutdown by the feds and anything calling itself Limewire now is just a virus pretending to be the real deal. There are several alternative such as Emule and BT if you wish me to install one of those" so what does he do? He promptly goes home with his new PC, Googles "New limewire" and when the AV naturally wouldn't let him install it first he tried to disable and then he removed the AV altogether! Why did he do that? Because the program told him to! When I finally threw him out of my shop (demanding I fix it for free after he broke it by refusing to listen to my instructions or call) he was yelling "It says right there that it IS Limewire so you make it work dammit!

So if you want to know why there are plenty of infected Windows machines its because of the dancing bunnies problem. [codinghorror.com] It doesn't matter how simple or secure you make the OS if the user has install rights because all you have to do is wave the right cookie, be it porn, piracy, hell I've seen users infect their PCs for a CHANCE of winning some iShiny, then all can be bypassed. MSFT thinks they are gonna fix this by going the Apple way with an appstore but it won't work, as porn and piracy won't be offered in the appstore and that will be enough of a cookie to lure victims. Whether you choose to admit it or not to run Linux you HAVE TO have more than moderate PC skills or have a full time admin (such as yourself) willing to work for free simply because you have to know how to deal with updates breaking drivers and other Linux "quirks" one simply doesn't run into on OSX or Windows. Hell simply the fact you have to install it, know what partitions are and what sizes to make them, Google for drivers that aren't included and understand how to find out the exact make/model of said hardware to properly install Linux already puts you above a good 80% of the population. if you wish to argue that let me take away install rights for all my customers who would only be allowed to let me remote in and install approved software? Windows would never get bugs either.

But that argument simply doesn't hold water when the vast majority are on their own, without so much as a geek in the family to guide them. In fact I would argue that them getting Linux installed correctly and having it fully functional for even a year would probably be impossible, since they simply wouldn't have the skills required. Linux is only friendly IF everything works OOTB AND it works after every upgrade, two situations which at least in my experience are about as likely as Santa dropping me off a dozen porn stars for Xmas.

Fact of the matter is, basically all computing requires more trust than should really be granted. We trust Microsoft to patch their vulnerabilities now that malware manages to find ways in through ever more creative means. We trust Apple to have an OS that was never really vulnerable to start with, and we trust GNU/Linux distributions and other free operating systems to have clean repositories and to be free of backdoors. We rely on non-OS, internet-connected software companies to produce software that isn't vulnerable to bringing problems in from the Internet.

All of these are essentially untrue, or are relying on means of security that can't be verified or well tested until something comes out in the wild. We instead rely on updates after the fact, and on feeble attempts by some to make programs to remove malware.

Even in the privileged/unprivileged user landscape that modern OSes are capable of using, too many users desire more credentials on their local computers than they need in order to perform the very basic tasks that a computer user does on a daily basis. In the early days I too was guilty of this, but learned. Unfortunately when there are combinations of vectors to infect the local user and then local root exploits even a good privileges model won't work.

We should demand more out of our browser developers and more out of our plugin developers. That is the single biggest category of infection route, and I'm sorry, but software that voluntarily brings in and deploys the exploit simply by visiting a markup-language page is completely unacceptable. Fix the bugs before worrying about new features.

Android is a great example how malware just gets there, around the obstacles when the market share is right. It's even on their official store.

No. There is virtually no malware for the iOS, which is in the same ball park as far as market share is concerned. So it's not just market-share. Security, including walled gardens, make a huge difference.

I basically agree, but the fact that there continue to be jailbreaks for iOS means that there are serious security holes. Luckily, people seem to be more interested in jail breaking than other exploits.

What I mean by long gone is that it last worked on 4.3.3, which was superseded in July 2011. (We're on 5.1 now, and there has been several point releases in between). And it's never worked in any way, on any version, on latest hardware (iPhone 4S or new iPad).

Un-thethered exploits reportedly still exist

The use of the term "Untethered" is unintuitive and not quite what you think it is. "Tethered" means you need to connect to a computer every time the phone is rebooted. Untethered means it will reboot with the jailbreak still operative even if you're n

Most of this has been known by, well, knowledgeable users by a long time. Most of the malware now comes via third party software or stupid users. It really doesn't matter what platform you use, as hackers will find a way around to get the best bang.

As one of my great compatriots once said: Artificial intelligence will soon best the natural one, but there's no adequate substitute for natural stupidity.

I assume you mean cannot get drive-byes. Linux is hacked in broad scene rather often. Linux does not get viruses in the sense that its never happened.

I assume you mean there is likely to be similar security holes in a bleeding edge easy to use distro as windows which may be true.Linux is extremely hard to compare security on as you can everything from a full on SElinux setup to whatever ASUS use to distribute.

I think rapid updates all security wholes are fixed within a week (worse case) and a low user base make Linux so unattractive for virus spreading that no one needs to worry. When there a successful virus for Linux, then Linux security becomes non-hypothetical and decisions can be made on the security convince trade-off (as of now its just all inconvenience for malware threats).

All three largest OS - Windows, OS X and Linux - are pretty much equivalent now.

So this story finally got me motivated to update ClamXAV and scan my drive. It's been running for a couple of hours now, and so far it has found 4 viruses/trojans... Windows viruses:) They are apparently sitting in my Gmail account, which I mirror locally. One of them is a windows screensaver virus of some kind sitting in my Downloads folder.

I'll get back to putting clam on my FreeBSD server as well. My Windows machine is obviously protected (with AVG).

The other day my NAS reported to me that there are some virus files it quarantined in the Mac backup sparsebundle. So of course i run out and install Sophos on the mac and do a full scan. Turns out it was my Win XP VM that got hosed. So in this case, macs DO get PC viruses.